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ABSiTEACT 

Current regulations and guidelines eatahlished by the 
Department of Health, iducation and ffalfare for the maintenance of 
confidentiality in educational research are summariEeds Key termsi. 
such as "sy.^t4*m of records" are defined and elaborated upon* The 
responsibilities of the funding agency and its research contractors 
are enumerated and ejcplaiaed, Eecommended procedures for ensuring 
compliance with the privacy and cpufidentiality statutes and 
regulations are discussed^ especially regarding the actual collection 
of data and the maintenance of computerized data files, 
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At present 5^ th&re are four majot Federal confidentiality privacy stat= 
utea which regularly impinge tipon educational evaluations. These are the 
Privacy Act, (PL93^5?9, 5U5C 552a) * the' Protection of Human Subjecte clause 
in the Natiocial Research Act C?L93'"348j 42USCs 2891-1), the Family Educa- 
tional Rights and Privacy Act (the "Buckley Amendment-*) (PL93-380j Section 
438j 20USC 1232g), and the Freedom of Information Act CPL93-502, 5 USC 552) , 
Inasmuch as a sunsnary of each statute is readily available (Weinberger and 
Michael, 1976| 1977; Michael and Weinberger, 1977) , neither their detailed 
regulations nor theiir redundancies md nonedueatlonal clauses will be dis- 
cussed hare. Rather, this paper will concentrate on the guidelines and 
procedures' that are currently necessary for the general compliance with these 
statutes as far as educational researchers are cDncerned* 

Generally speaking, these statutes place the responsibility for dOTn- V ' 
pliant educational research on both the Federal funding agency (i,a,5 DHEW) 
as well as the actual researcher. In order to comply with these statutes, 
the researcher roust first be able to describe three things about his or her 
data: 1) does it include information that is personally identifiable; 2) 
If so, who has access to that information ; 3) Has the individual been prop- 
erly informed of his rights and of the consequences regarding his partici- 
pation in the research (If the individual is a minors has the parent or 
guardian been properly informed?)? 

If the data collected is not personally identifiable, then most of the 
privacy regulations become moot. The one exception is that the Individual 
must be informed of this complete anonymity. Also, the intention to maintain 
anonymity is not the same as actually doing so from the starts as long as 
the potential for Individual identification eKlsts, the reeearcher has defi- 
nite legal responsibilities to ensure confidentiality * 

: Here are certain key terms that should be kept in mind* 




m human Btibjectg - not merely limited to people on whom eKperiroents 
ate performed. Current inCerpretation of the law also places questionnaire 
respoRdentSj interviewers and observers in this categorjr* 

# individual - a living citizen of the Uiiited States or an alien law- 
fully admitted for permanent residence. In the case of minors^ parents or 
guardians are also included, A business firm which is Identified by the 
name of one or more individuals is not considered as an individual under the 
Frivacy Act. 

m maintain^ to maintain , operate, collect^ use or disseminate, 
^ is^ record - any item, collection or grouping of information about an 
individual by an agency or its cpntractors maintained for a specified pur- 
pose that contains his or her namej identifying nimiber, symbol, fingerprints 
voiceprintg, photographs or any other means of direct identification* "Tden 
tifying number" refers to Social Security numbers , drivers - licenses, draft 
registration numbers, etc^ ^ which are clearly and unambiguously linked to 
Individuals. Arbitrary ID numbers ^ so long as they cannot possibly be trans 
lated into these direct forms of personal identification, do not count* 

# system of records ^ a group of any records under the control of miy 
agency or its contractors from which data can be retrieved by the name of 
the individual or any other identifying particular assigned to that indi- 
vidual. 

# agency V for the purposes of privacy legislation^ the source of 
funding, i.e. J the Department of Health, Education and Welfare* 

m privacy the right of an individual to 1) determine what records 
pertaining to him or her are being maintained by Federal agencies, 2) pre=^ 
vent such recordij obtained for a particular purpose from being used for 
some other purpose without his or her consent, 3) gain access to, copy, 
correct, or amend such records, 4) be assured that such records have been 
maintained for lawful purposes and 5) have redress if the maintenance of 
such records is deemed unlawful* 

# confidentiality - Che obligation of an agency and its contractors to 
ensure the privacy rights of the individuals on whom they maintain records, 

# security specific methods to ensure confidentiality , especially 
the prevention of unauthorlEed access. 

# consent the authorization, written or otherwise, by an Individual 
for an agency and its contractors to maintain a record pertaining to that 



IndiviHual. Current practice allows for positive consent to be assumed if 
individuals have been Inforinad In advance of . the creation of a system of 
records and there Is tha opportunity for written refusal for consents 

m access - the ability to acquire, directly or Indirectly, the infor- 
mation contained in a system of records* 

m authorization for disclosure - restricted to the system of records 
manager within the sponsoring agency, i.e*, the Project Officer* 

In order to streamline the process of establishing compliance with 
these Statutes y the various Federal agencies within DHEW ha%^e prepared guide- 
lines for compliance as well as official reporting forms. The best known 
of these deal with the Protection of Human Subjects^ and require that pro- 
posed research procedures be reviewed and certified by an independent panel 
prior to actual work on a contract or grai t. Because the improper release 
of personal data can be harmful to a respondent, a description of the confi- 
dentiality procedures in force and of the planned uses of the data has become 
a necessary input to the panel's decision . 

Another form which has come Into use is a statement of compliance vith 
the Privacy Act. Although it is signed by a representative of the sponsoring 
agency,, the researcher typically has to provide the actual information. Sev- 
eral key questions about the data must be answered. First, does It qualify 
as a "system of records", that Is, is tWi data personally identifiable? 
Seconds is there "routine use" of the data as a system of records, that Is, 
are Indlviduale constantly and systematically being personally Identified? 
Third, who "maintains" the data and is in control of access to It? 

In addition to certification of compliance with privacy and confident- 
tlality regulatlona, agencies and their contractors are directed to follow 
specific guidelines In order to ensure compliance* They are currently 
required tor 

# establish administrative, technical and physical safeguards in accor*^ 
dance with DHEW and National Bureau of Standards guidelines to ensure the 
eecurity and coinifldehtiality of a system of records | 

# establish rulee of conduct for all employees Involved in the design, 
development, operation or maintenance of a syjtem of records and Inform them 
of th^ Federal rules and regulations and penalties for noncompliance that 
apply . 



• report to the system of records manager all requests for disclosure 
of an individual's record, requests by any individual for access to his or 
her record and requests by any individual to amend his or her record 

m tmfraln from any unauthDrized disclosure of a record to anyone out- 
side the sponsoring agency 

e provide for the authoiriEed access to or amendment of individual 
records by the individuals themselves 

& keep an accurate accounting of all disclosures 

n make such additional reparts regarding the maintenance and operation 
of the system of records as required by concract or by law 

Contractors also have additional obligations before creating a system 
of records I namely, to i 

m inform the sys*:em of records aanager within the aponsorlng agency i 
i*e*5 their Project Officer or monitor, of all the information necessary to 
describe the existence and character of the proposed system of records pur-- 
suant to publication of that description in the Federal Register 

m refrain from maintaining such a' system of records for thirty days 
after the publication of the description of the proiposed system in the 
Federal Register , 

m maintain in the system of records only that information which is 

relevant and necessary to the purposes of the contract 
... . . ■_ . / 

• collect information directly from the IndividLual to the greatest 

extent possible* e-g#s avoid hearsay and second-hand sources 

• inform each individual from whom information Is requested by means 
of a direct sti'tement on the form used to collect information or on a sepa^ 
rate forin that the Individual can retain of a) the principal purpose or 
purposes for which the Information will be used, including specific enumera- 
tion of the purpose of the contract p b) the routine uses ^ 1. e* , disclos'ire 
of personally identifiable information, of the system of records and c) the 
effects on the Indlviduarj if any , of not providing any or all of the 
requested Information . 

More specific guidelines for the ensurance of privacy and confiden-- 
tiallty include the following r 

: • all personnel having access to or responsibility for a system of 
records are required to take and sign a nondisclosure oath and to be infomed 



o£ their responsibilities and obligations regarding confidentiality 

• all records and associated documents are to be stored In a locked 
receptacle when not In use 

• all records and associated documents are to be inventoried and ac- 
counted for 

m data banks and files shall be protected by passwords and other tech- 
niques which can ha used to Identify and verify the system user 

• only personnel authorized to have physical or online terminal access 
to a system of records are allowed to do SD 

.• backup and recovery data sets are subjecc to the sanie security re- 
quirements as primary data sets 

© direct use of personally identifiable data should be marked "FOR 
OFFICIAL USE ONLY" 

• a system of Inspectlori and nonltorlng should be in effect to ensure 
that security measures are being properly adhered to 

• all instances of access, to a system of records should be authorized 
in advance and logged 

• all auoinalles in access to the systems of records should be thoroughly 
investigated and described 

e disposal and destruction of unneeded records should include security 
measures; e.g., shredding before disposal 

• The problem of maintaining confidantiallty begins with the actual col- 
lection of data. As soon as an individual becomes identified with a given 
research effort or information about that individual enters a system of 
records, the confidentiality process must be operative. One must keep in 
mind that any information, even that which is, not harmful to the respondent, 
such as age and height, constitutes part of a system of records if it is 
personally identifiable. Admittedly, the stringency of the security measures 
used to safeguard such Information may not have to be as great as when ob- ' 
vlously harmful information such as criminal records are part of a system of 
records, but the authority for easing security measures lies with the system 
of records manager and not with the researcher. 

The most direct method to establish information about individuals as a 
system of records is to have their names placed directly on the data collec- 
tion forms. As long as those names remain on the forms, they constitute a 



continuous sacurity problem. For that reason, the dlra« Idantlflcatlon 
method .ay not be allowed by th. sponsoring agency. On, co.promis. to this 
^lachod Is to have the respondent name located on a perforated "taar^away" 
portion of the data collaetion for.= once data processing is complete . the 
names ean be torn off the forms, thereby making the fom. physically anony= 
mous. Another variation of the "tear^away ID" method is to use pressure- 
sensitive stlck-on labels that have two parts, one with the respondent's 
nam^ on it that can be peeled off and the other with an arbitrary ID number 
on it that regains flKed to the data collection for.. ^.Still another version" 
Is to have the name of the respondent on the outside of ^an envelope and the 
data collection form with an ID number on it enclosed in the envelope. 
. ; Implicit in these methods is the knowledge on the part of the researcher 
of just Who the respondents are. If the system of records manager decide- 
that this knowledge is a liability to the respondents, more elaborate methods 
of data collection are needed. In the "double blind- method, someone other 
than the researcher contacts the respondents, collects their data and delivers 
it to the researcher, mis outside entity acts as an "escrow agenf for the 
information linking an individual to his or her data. A less stringent but 
more manageable method is to follow the same procedures in-house while main- 
taining the data base. By keeping personal identification information in a 
separate but cross-linked file from actual research data, the research data 
Is not m and of it.elf a system of records. It only becomes one when it is 
merged with the personal identification file. • 

In sma-l studies, the maintenance of acceptable confidentiality measures 
may be quite simple, e.g. . by locking up all data in a safe when not being 
used, and by working with the data In a locked room. I„ short, by limiting 
access to data to a limited number of Individuals under secure conditions, 
one has control over the confidentiality of the data. 

If the system of records is stored in a computer system, the problems 
of maintaining confidentiality are increased. Physical access, other than 
the theft of card decks or magnetic tapes, is lese of a problem than symbolic 
access, that is. the ability to use valid computer-related operations to 
inspect, copy, manipulate or destroy someone else's system of records. 

^^""^^ computer environments, there are hundreds, even thousands ' 
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of users, aach of whom has a perfect right and reason to use the computer. 
In order to gain unauthorized access to a system of records^ the outsider 
has to know 1) that the system exists, 2) how and where it is stored, 3) 
what name it is stored under and 4) what passwords and other protection 
devices have been used to restrict access. The assumption that this Infor- 
mation is only of interest to' authorlEed users and Is known only by them is 
extremely naive* 

Take, for example, the choice of keywords and passwords* In order not 
to forget their own keywords, many users will use their own initials or a 
convenient acronym (TEP for Teacher Evaluation Project). Access to such 
"protected'^ data is available to anyone with a casual knowledge of the 
study. A more devious but not difficult method is to appropriate discarded 
computer listings and coding shfi:ets, since keywords are typically disguised 
by the computer on output, not input. Another common mistake is to write 
dQ%m keywords and openly display them or let others share them. 

Here are some simple rules for maintaining keyword protected computer 
files: 

& have an eKpllelt list of authorlEed users on file with the computer 
center • ' . 

• choose the letter or digit of each keyword at random and change it 
often- This may be inconvenient ijf there are multiple users, but the pro- 
tection is worth its 

m restrict the number of occasions the keyword Is written down to a 
minimum. Posting keywords on a bulletin board or circulating them in memos 
defeats their purpose^ 

•try to control the disposal of computer cards and paper that contains 
keywords. The overstrike fftature that many on-line terminal systems use can 
be read through quite easily, 

a unauthorised acaessi once suspected, can be monitored by the computer 
system itself. A "spy" circuit can be used to signal and locate the source 
of each access, 

• the naming of data sets can also have confidentiality implications/ 
Many computer installations publish daily the names of the on-line data 
sets that each user has, and there is a \'ast difference in the amount of 
curiosity aroused by a data set called "Data" and one called "Teacher 



Salajry Data." • 

The efforts within DIIEW to establish guidelines In defining privacy 
and confidentiality coinpllancG are still at an interim stage and are likely 
to change as new legislation and new research concerns arise. In particular, 
the inherent contradiction between maintaining data confidentiality and 
allowine access to information about an individual create real problems for 
the researcher. If data are noc collected in a personally Identifiable 
manner, how can the researcher authenticate the responses? Moreover, how 
can that data be reliably linked to other Individual level data from another 
source? The collection of completely anonymous data rules out the posslbll-. 
Ity for later verification of responses, longitudinal research and multi- 
instrument designs. Also, the typical requirement that raw data be held for 
several years after the end of a research contract creates a situation where 
the legal obligations and liabilities of the contractor outlast the financial 
coverage provided by the coritractlng agency. 

As new legislation is enacted and the Interaction between sponsor 
and researcher exposes the advantages and disadvantages of current guide- 
lines and regulations, the nature of the confidentiality process is bound 
to change. Nevertheless, the maintenance of the confidentiality of research 
data is now a legal obligation on the part of the researcher and not simply 
a professional or ethical one. By building confidentiality methods direttly 
Into the evaluatlonal design, they may prove to, be less of a hindrance than 
one might expect. If , however, they are postpoiied or ignored, the researcher 
is definitely taking severe risks through noncompliance with the law. 
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